Update: In case you're curious, yes I've contacted them and explained the vulnerability.
I cannot name the Web site (and if I could, I wouldn't since they desperately need to fix this security hole), but I forgot my password and requested a new one. So they sent one:
September911
Excuse me??? Sending me something which appears to be the date of an incredibly tragic incident on US soil? Shocked, I requested a new password four times. Each password matched qr/^$month_name\d{3}$/.
Anyone see a problem there?
Here are a few more interesting tidbits I've found:
In other words, request someone's password be reset (I have the email addresses of a number of rather well-known individuals handy), wait a couple of minutes and then kick of a short mech script to cycle through the 12,000 passwords until you log in.
Look. I know most people aren't security experts, but this is nothing short of astonishing.
